b"EVALUATION OF THE SMALL BUSINESS ADMINISTRATION'S \n\n         INFORMATION SECURITY PROGRAM \n\n\n\n                   Report Number: 07-74 \n\n               Date Issued: February 22, 2007 \n\n\x0c           U.S. Small Buslnws Admlnlstratlon \n\n                                                  Memorandum\n           OW- of Inspdor General \n\n\n\n           Christine Liu                                                  February 22,2007\n           Chief Information Officer\n                 [Exemption 6]\n\n\n           Assistant Inspector General for Auditing\nsubject:   Advisory Memorandum Report on SBA's Information Security Program\n\n           This report presents the results of our fiscal year (FY) 2006 evaluation of the\n           Small Business Administration's (SBA) information security program. The\n           Federal Information Security Management Act (FISMA) requires the Office of\n           Inspector General (OIG)to annually assess SBA's progress in correcting\n           weaknesses identified in last year's FISMA review and to provide input on SBA's\n           annual FISMA report in accordance with specific reporting instructions issued by\n           the Ofice of Management and Budget (OMB). Reporting instructions for FY\n           2006 were provided in OMB Memorandum 06-20, FY 2006 Reporting\n           Instructions for f he Federal Information Securit), Managem en! Acc and Agency\n            Privacy Management,\n\n            Our input into SBA's annual FISMA report, which was submitted to O M 8 in\n            October 2006, is attached in Appendix 111. This input was based on tests of 11 of\n            SBA's 19 major systems. Three of these systems were reviewed by different\n            lndependent Public Accountants using Statements of Auditing Standards (SAS)\n            70, Type I1 auditing procedures. Eight of these systems were reviewed by our\n            Independent Public Accountants, KPMG, in accordance with the Federal\n            Information Systems Control. Audit Manual. We utilized reviews of these 11\n             systems along with our own reviews of SBA security documentation to come to\n             our conclusions of SBA's information security p r o m .\n\n            We also anempted, but were unable, to review SBA's 82 non-major systems for\n            compliance with the certification and accreditation (C&A) provisions of FISMA.\n\x0cSBA had not classified the sensitivity of information in 80 of its 82 non-major\nsystems to dekmine wrhich systems should be certified and accredited. A more\ndetailed discussion of our scope and methodology is in Appendix I.\n\nSBA reviewed a draft of this report and concurred with the findings and\nrecommendations. SBA's full response is included in Appendix I of this report.\n\nRESULTS\nDuriag FY 2006 SBA made a concerted effort to correct weaknesses identified in\nprevious FXSMA reviews, Consequently, only four recomrn endations remain\nunresolved. Of these, two involve corrective actions targeted for June 30,2006,\nwhich are past due. SBA has not fully incorporated continuous m o n i t o m of - - .\nmajor applications and general support systems into its C&A requirements nor has\nit required that configura:ion management plans be included in C&A packages for\nall of its systems. Actions on the two remaining recommei~dationsare to be.\ncompleted in calendar year 2007. Our ssessment of SBA's progress in correcting\nweaknesses previously identified is summari~edin Appendix IV.\n\nSBA has also made improvements in its Computm S e c u r i ~Pr~laam.\n                                                              ~         In,FY 2005,\nSBA fully certified and accredited 9 of the 1 1 systems we evaluated. 1bt twn:\nrernainiig systems had interim C&As. SBA also met FISMA requirements for\nmanaging an agency-wide plan of action and miIestone process to track its\nprogress in addressing IT security weaknesses, establishing agency-wide security\nconfiguration policy and guidelines, reporting security incidents, and providing\nsecurity awareness training.\n Despite this progress, SBA still needs to improve its program in two areas-\n cl asslfying the sensitivity of its non-maj or systems and ensuring that contingency\n plans for all contractor-operated systems are tested. FIPS Publication 199,\n Sfaptdardsfor Security Categorization of Federal information and Information\n Systems, requires that a11 information and information systems be categorized by\n an appropriate risk level to ensure an appropriate level of information security.\n However, SBA had not classified the sensitivity of information in 80 of its 82 non-\n major systems to determine which systems should be certified and accredited.\n Consequently, we were unable to assess the adequacy of security protection for\n these systems.\n SBA also did not ensure that three of seven disaster recovery plans for its major\n contractor-operated systems were tested. NIST SP 800-34, Cuntingenq Planning\n Guide for IPtformation Technology Systerns, and OM3 Memorandum 06-2 0\n require agencies t o develop system disaster recovery plans and restoration\n procedures, which would recover SBA's systems based upon the business impact\n\x0ct o t h e agency. However, SBA did not have documentation to show that disaster\nrecovery plans had been tested in FY 2006 for the:\n\n       Business Development Management System\n\n       Contract 7 (a)/503/504 Loan Servicing System; and\n\n       LoanLender Monitoring System.\n\nBecause these plans have not been tested, SBA has no assurance that they could be\nrestored in the event of emergencies according to time frames specified in SBA's\nbusiness impact analyses. SBA needs to either modify existing contract language\nor related service-level agreements to ensure that all of its major contractor-\noperated systems are annually tested for disaster recovery and that test results arp\ndocumented.\n\nRECOMMENDATIONS\nWe recommend that the Chief Information Officer:\n\n    I. \tClassify the FlP S 199 risk level for all non-maj or information systems\n        identified in SBA's systems inventory -and document these classifications in\n       its inventory accordingly.\n\n    . \t Certify and accredit all low-, moderate-, and high-impact non-major\n       systems in accordance with FlSMA requirements.\n\n    3. \t Ensure that current contracts or service-level agreements are modified to\n         require that disaster recovery plans for all SBA contractor-operated systems\n         are annually tested and the test results documented,\n\n\n AGENCY COMMENTS\n The Agency provided written comments on a draft of this report concurring with\n all findings and recommendations in the draft report. SBA's comments are\n summarized in the Results in Brief section, and the full text of the comments can\n be found in Appendix Z to this report.\n\x0cAPPENDIX I. SCOPE AND METHODOLOGY\n\nWe performed an independent evaluation of SBA's information security program\nfor the period, August 16,2003, to August 15, 2006 to reach conclusions about the\nadequacy of the FISMA reporting areas. Our evaluation was performed in\naccordance with instructions provided in the Ofice of Management and Budget\nMemorandum 06-20, FY 2006 Reporting Instructioxsfor the Federal Infornzati~jz\nSecurity Managemsr2t Act and Agency Privacy Management.\n\nOur evaluation included tests of 11 of SBA's 19 major systems. Three of these\nsystems were reviewed by different Independent Public Accountants using\nStatements of Auditing Standards (SAS) 70, Type I1 auditing procedures. Eight of\nthese systems were reviewed by our Independent Public Accountants, JSPMG: in\naccordance with the Federal Information Systems Control Audit Manual. In\naddition, for each major system tested we reviewed program documentation to\ndetermine whether each system maintained a valid certification and accreditation\nand had a tested disaster contingency plan for the fiscal year. Our findings were\nconfirmed in discussions with SBA officials.\n\nWe alsd attempted, but were unable, to review SBA's 82 non-major systems for\ncompliance with certification and accreditation provisions. SBA did not have\nadequate documentation to make valid conclusions. We also considered prior\naudits related to SBA's information systems computer security program issued by\nour office in fiscal year 2006.\n\n Our evaluation was performed at SBA' s headquarters office in Washirigton, D.L.\n from May 2006 through October 2006.\n\x0c    APPENDIX 11. MANAGEMENT COMMENTS \n\n\n\n\n\nDate:   January 25,2007\n\nTo: \t Debra S. Ritt\n         Assistant Inspector General for Auditing\n\n                              &x\nFrom: ChristineH.Liu [Exemption 6]\n      Chief Information Officer \n\n      Chief Privacy Officer \n\n\nSubjwt: \tOCIO's Response to Draft Advisory Memorandum Report on SBA's Information\n         Security Program\n\n\n\n         Please find attached OCIO's response to the x&ommendations addressed in tfie above\n\n         report. If you require additional in.fomation, please contact me at (202) 205-6708.\n                                                                                       [Exemption 2]\n\n\n\n\n         Attachment\n\n\n\n         cc: \t Jovita Carranza \n\n              Deputy Admiaistrator \n\n\x0cResponse Ofice of Inspector General's Audit Report on the Evaluation\nof the Small Business Adininisfration's Infomution Security Program\n(Project No. 6028):\n\n\n      1.\t Classify the FTPs 199 risk level for all non-major information systems\n          identified in SBA's systems inventory and document these cbssfications in its\n         inventory accordingly. (Avree)\n\n         OCIO's Response:\n         OCIO's IT Security Ofice developed a Minor Application Certification process that\n         includes the classificationprocess using FIP S 199 guidance. All systems/applications\n         in the SBA inventory will be classified according to FIPS 199.\n         To date, 60 systems have been rolled into a major application system or a general\n         support system; 7 outsourced systemslapplications are in tfie C&A process; 10\n         applications have been retired, and 5 outsourced systems are in the development\n         phase. The target completion date is June 30, 2007.\n\n      2. \t Certify and accredit a11 low-, moderate-, and high-impact non-major systems in\n           accordance with HSMA requirements. CAereeJ\n\n          OClO's Response:\n          (See Response to No. 1 above)\n\n      3. \tEnsure that current contracts or sewice-level agreements are modified to\n          require that disaster recovery plans for all SBA contractor-operated\n          systems are annually tested and test results documented. (Agree)\n\n          OCJO's- Response:\n          OCIO will meet with the Ofice of Administration to ensure that all existing contracts\n          and service level agreements are modified to include boiler plate language requiring\n          annual testing of all disaster recovery plans for SBA contractor-operated systems and\n          documentation of test results. In addition, OCIO's IT Security Office will develop a\n          method to track compliance with this new requirement. The target completion date is\n          September 30,2007.\n\x0c    Redaction Marker \n\n   Number of\nWithheld Pages                 7\n\n  FOIA or PA\n Exemption(s)                  2\n                 Appendix III - FISMA Reporting\n Description                Template\n\x0c    Redaction Marker \n\n   Number of\nWithheld Pages                 2\n\n  FOIA or PA\n Exemption(s)                  2\n                 Appendix IV \xe2\x80\x93 Open FISMA prior\n Description          Year Recommendations\n\x0cAPPENDIX V. REPORT DISTRlBUTION\n\n\n                                                                                                            No. of Copies\n                                                                                                               -   -.\n                                                                                                                   -   ,        , -\n\n\n\n\nOfice of the Chief Financial Officer\nAttention: Jeffrey Brown .......................................-...-.................................. \n\n\nGeneral Counsel,.........................................................................................                  3\n\n\n0 ffice of Management and Budget.............,..,..,............................................\n                                                                                              1\n\n\nU.S. Goxwnment Accountability Office ....................\n                                                        .............................. 1 \n\n\x0c"